archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/windows/appcompat/shims/specific/sierracartracing.cpp

124 lines
3.3 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 2000-2002 Microsoft Corporation
  5. Module Name:
  7. SierraCartRacing.cpp
  9. Abstract:
  11. Sierra Cart Racing passes a bad pointer to InitializeSecurityDescriptor which overwrites
  12. part of the SECURITY_ATTRIBUTES structure and some other stack memory.
  14. The original version of this shim would fail the call to InitializeSecurityDescriptor,
  15. and force a NULL security descriptor to CreateSemaphoreA. To reduce the security risk,
  16. the shim was modified to only pass a NULL security descriptor to CreateSemaphoreA if
  17. it detects that the LPSECURITY_ATTRIBUTES was overwritten by InitializeSecurityDescriptor,
  18. and restores the memory overwritten by InitializeSecurityDescriptor.
  20. Notes:
  22. This is an app specific shim.
  24. History:
  26. 11/03/1999 linstev Created
  27. 03/15/2002 robkenny Re-created to pass security muster.
  29. --*/
  31. #include "precomp.h"
  33. IMPLEMENT_SHIM_BEGIN(SierraCartRacing)
  34. #include "ShimHookMacro.h"
  36. APIHOOK_ENUM_BEGIN
  37. APIHOOK_ENUM_ENTRY(CreateSemaphoreA)
  38. APIHOOK_ENUM_ENTRY(InitializeSecurityDescriptor)
  39. APIHOOK_ENUM_END
  41. BOOL g_BLastSecurityDescriptorSet = FALSE;
  42. SECURITY_DESCRIPTOR g_LastSecurityDescriptor;
  44. /*++
  46. Use the default security descriptor.
  48. --*/
  50. HANDLE
  51. APIHOOK(CreateSemaphoreA)(
  52. LPSECURITY_ATTRIBUTES lpSemaphoreAttributes,
  53. LONG lInitialCount,
  54. LONG lMaximumCount,
  55. LPCSTR lpName
  56. )
  57. {
  58. if (lpSemaphoreAttributes && g_BLastSecurityDescriptorSet)
  59. {
  60. // Initialize a security descriptor
  61. SECURITY_DESCRIPTOR securityDescriptor;
  62. InitializeSecurityDescriptor(&securityDescriptor, SECURITY_DESCRIPTOR_REVISION);
  64. // Check to see if them memory starting at lpSemaphoreAttributes->lpSecurityDescriptor
  65. // contains the same memory as a security descriptor.
  66. int compareResult = memcmp(&securityDescriptor,
  67. &lpSemaphoreAttributes->lpSecurityDescriptor,
  68. sizeof(securityDescriptor));
  69. if (compareResult == 0)
  70. {
  71. // Restore the overwritten memory
  72. memcpy(&lpSemaphoreAttributes->lpSecurityDescriptor, &g_LastSecurityDescriptor, sizeof(g_LastSecurityDescriptor));
  74. // lpSemaphoreAttributes is bogus
  75. lpSemaphoreAttributes = NULL;
  76. }
  77. }
  79. return ORIGINAL_API(CreateSemaphoreA)(
  80. lpSemaphoreAttributes,
  81. lInitialCount,
  82. lMaximumCount,
  83. lpName);
  84. }
  88. /*++
  90. Returns false for InitializeSecurityDescriptor. i.e. do nothing so we don't
  91. touch the stack.
  93. --*/
  95. BOOL
  96. APIHOOK(InitializeSecurityDescriptor)(
  97. PSECURITY_DESCRIPTOR pSecurityDescriptor,
  98. DWORD dwRevision
  99. )
  100. {
  101. // Save the memory that will be overwritten.
  102. if (pSecurityDescriptor)
  103. {
  104. g_BLastSecurityDescriptorSet = TRUE;
  105. memcpy(&g_LastSecurityDescriptor, pSecurityDescriptor, sizeof(g_LastSecurityDescriptor));
  106. }
  107. return ORIGINAL_API(InitializeSecurityDescriptor)(pSecurityDescriptor, dwRevision);
  108. }
  110. /*++
  112. Register hooked functions
  114. --*/
  116. HOOK_BEGIN
  118. APIHOOK_ENTRY(KERNEL32.DLL, CreateSemaphoreA)
  119. APIHOOK_ENTRY(ADVAPI32.DLL, InitializeSecurityDescriptor)
  121. HOOK_END
  123. IMPLEMENT_SHIM_END